Hugo Bertin

Hugo Bertin is a Visiting Student in the SeRBER research group at KAUST, Saudi Arabia. He got his master degree in CS from the University of Rennes, France. During this degree he realised different internships at the IRISA research lab, in France, where he could work on isolation units in the cloud under the supervision of Prof. David Bromberg and Ass. Prof. Djob Mvondo. He also studied software engineering and cyber-security as an exchange student at Newcastle University, UK.

He is interested in the network and system aspects inherent to distributed systems, which often involve a trade-off between security and performance. He is currently working on EGaming Security under the supervision of Prof. Marc Dacier and Prof. David Bromberg. The research project aims to investigate the security aspects leveraged by the gaming industry, which has experienced unprecedented growth and is expected to continue to shape tomorrow's virtual worlds. This comes with new challenges to enhance security, mainly to prevent cheating. From a technical point of view, Hugo is investigating synchronization and security mechanisms in game engines such as Unreal Engine.


Session

10-25
16:45
30min
Disconnecting games with a single packet: an Unreal untold story
Hugo Bertin

In 2023, the gaming industry reached a worldwide revenue of US$384.9 billion. Yet, this industry is facing a growing number of cheating actors and techniques.

We introduce new attacks targeting multiplayer games based on Unreal Engine such as Fortnite, PUBG, Valorant... These attacks disconnect a player from an ongoing game session against his will. Cheaters can launch it as a Denial-of-Service against opponents with very few packets (sometimes only one). In most cases, the attacker can steal the victory from the target without exposing himself as a cheater.

It is important to understand that these attacks do not exist because of a vulnerability or an implementation error. They are conscious design choices, dictated by the constraints inherent to a widely distributed multiplayer game. Mitigating these attacks is thus not trivial.

This talk shows how such issues present in a single game engine can spread widely, across several games produced by different editors. It is quite probable that other game engines, such as Unity, are not immune to these issues. However, this presentation solely focuses on the Unreal Engine whose source code is available. We present our analysis of the design and implementation choices made within the Unreal Engine. We explain how to exploit the protocols used. We cover and discuss how to defeat some common countermeasures used on the Internet against IP spoofing, such as Source Address Validation. We mention some mitigation strategies for video game developers. We show videos of these attacks against real popular games.

topic: hack.lu
Europe - Main Room